If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register or Login
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

[Reverse Engineering] Find data decryption algorithm.

First of all, Hi and Merry Christmas to everyone.

I am not sure if i've chosen the correct section to post my thread, so i apologize if its wrong and feel free to move it where you should.

now to the problem.
I am basically a 3D developer, i am writing importers and exporters of game files into 3d developing software (Blender for now), BUT lately i came across some files that meant to contain 3D data and they seem to be encrypted. I am not sure if i am using the correct word also but i assume that since in the hex editor the data does not contain characters in its total, its not encoded.

So what i am trying to do is to find my way in those unknown fields for me (both decrypting and reversing) and i am kind of completely lost :P

I started debugging the game trying to find where the file is accessed and to see how the data is handled, but it does not seem to be that easy.
From the few things that i know (btw i am using Olly to debug the game), i searched the memory for a byte sequence taken from the actual file (there are already tools available to unpack them from their archives) and i did found the place in memory where the file is stored. Then i thought that be adding a memory breakpoint in there the game would stop and i would see the data. That never happened...

So i have no idea what i should do now, i have no idea if my approach to the problem is correct.

Thats i am asking desperately for help :P If someone more experienced than me has some advice or thought or guidance to give please do so, i am asking for it.

PS: The decryption key that i am propably asking for should be a string??? could it be just and array of bytes?

Re: [Reverse Engineering] Find data decryption algorithm.

Originally Posted by 2kaud

Why not simply ask the person from whom they came how to access them?

I wrote above that all those files are contained in archives, which we do know how to read. I can unpack them as well. The problem is that the unpacked files are not in a "readable" format, they need to be decrypted.

Re: [Reverse Engineering] Find data decryption algorithm.

Print screen the window of ollydbg of the starting point of the decryption algorithm you have found.

Assuming you have found the decryption algorithm, as the code loops through the decrypting the data your decrypted data will still be stored in memory so you are going to need to alter that code in ollydbg to write the decrypted bytes to an output file and you will have your decrypted file format. This may sound relatively simple but I am also assuming the game has no checksum routines and anti-reversing techniques....

Re: [Reverse Engineering] Find data decryption algorithm.

Originally Posted by gaar321

Print screen the window of ollydbg of the starting point of the decryption algorithm you have found.

Assuming you have found the decryption algorithm, as the code loops through the decrypting the data your decrypted data will still be stored in memory so you are going to need to alter that code in ollydbg to write the decrypted bytes to an output file and you will have your decrypted file format. This may sound relatively simple but I am also assuming the game has no checksum routines and anti-reversing techniques....

That sounds ok, but i have not found the decryption algorithm. Thats the main problem. I have no clue on how to locate it.

And i think there might be other issues as well. The game detects debugging software when its started, so i cannot start the game through olly. The only workaround i've found on that, is to start the game, and be as quick as possible with the attachment of olly on the game executable. This way i think i am losing commands that could possibly do the work before i even start debugging. Is there any way that i can stall the execution of the game so that i can attach the debugger in time?

Re: [Reverse Engineering] Find data decryption algorithm.

Originally Posted by gregkwaste

The game detects debugging software when its started, so i cannot start the game through olly.

This is a possibility. Firstly what is the game if it is a commercial game you are fully aware of the copyright?, secondly if that is the case you can change the address entry point statically with a hex-editor if you are able to back-trace in olly what code is causing it after attaching it.

Re: [Reverse Engineering] Find data decryption algorithm.

Originally Posted by gaar321

This is a possibility. Firstly what is the game if it is a commercial game you are fully aware of the copyright?, secondly if that is the case you can change the address entry point statically with a hex-editor if you are able to back-trace in olly what code is causing it after attaching it.

Yes its a commercial game and i am fully aware of the copyright and i do not indent to do any harm or crack it in some way or something like that, even if i wanted i have no idea how to do it. All i want is to get that model in blender :P

Hmmm so what i have to do is to change the EP to a higher value? What would that save me from? The debugging check? Or is this the only way i can backtrace? Because if i could make a search for specific addresses of the memory accessed after the commands where executed, i would propably find something :O

Re: [Reverse Engineering] Find data decryption algorithm.

Changing the EP to a higher value is a possibility to bypass the debug check provided that there is not crucial code skipped out by doing so, however just a random change to the EP address will get you no where unless you have a huge amount of luck.

Going of a very generic approach, let the game run then attach ollydbg as you have done, set breakpoints on file reading functions then analyse the data IF a breakpoint is hit then check whether you have got the file name you want ("3D.obj") blah blah and then follow through on the code to find where the decryption is taking place. If this method does not work eliminate this approach as you will then have to try and start the game up with ollydbg and use initiative to find the anti-debugging techniques and remove them("this is where I remain silent")if successfully removed check if read file function breakpoints are hit.

Re: [Reverse Engineering] Find data decryption algorithm.

Originally Posted by gaar321

Changing the EP to a higher value is a possibility to bypass the debug check provided that there is not crucial code skipped out by doing so, however just a random change to the EP address will get you no where unless you have a huge amount of luck.

Going of a very generic approach, let the game run then attach ollydbg as you have done, set breakpoints on file reading functions then analyse the data IF a breakpoint is hit then check whether you have got the file name you want ("3D.obj") blah blah and then follow through on the code to find where the decryption is taking place. If this method does not work eliminate this approach as you will then have to try and start the game up with ollydbg and use initiative to find the anti-debugging techniques and remove them("this is where I remain silent")if successfully removed check if read file function breakpoints are hit.

With some tricks with 3rd party applications i think that i managed to suspend the app and attach olly on the very early stages of the game without messing around with the EP.
I have some questions though. Its a huge game, many modules are running and i am getting lost.
It seems like olly's searches for calls and strings and stuff like that are module exclusive. It shows me the results of the current modules calls. But how do i know which module should i check for calls?

Also it seems like every module has multiple threads. Does that have any role on my searching or the code execution? I am playing just with the main one on each module.

Re: [Reverse Engineering] Find data decryption algorithm.

For every module that the game loads/uses set breakpoints on calls such as ReadFile() (you can obviously skip essential modules such as kernel32.dll etc) or other equivalents then check the filename etc.. then step through each piece of code until you notice that the file is being processed/decrypted in memory. no it wont have any effect if it is using multiple threads because if you set the correct breakpoints ollydbg will pause in the thread etc. To help further I would need an analysis on the game myself... telling me what the game is and what model you want would be a good start

Re: [Reverse Engineering] Find data decryption algorithm.

Originally Posted by gaar321

For every module that the game loads/uses set breakpoints on calls such as ReadFile() (you can obviously skip essential modules such as kernel32.dll etc) or other equivalents then check the filename etc.. then step through each piece of code until you notice that the file is being processed/decrypted in memory. no it wont have any effect if it is using multiple threads because if you set the correct breakpoints ollydbg will pause in the thread etc. To help further I would need an analysis on the game myself... telling me what the game is and what model you want would be a good start

Well the most calls i found and had to do with file reading were in kernel32 and kernelba so i set breakpoints on them and they were called many many times
The sad thing is that i passed the calling of my file so i have to do it again

I'd love to send you more information about the game and stuff, but i would not like to post them here in public, please enable your pms or give me a mail account so i can send you all the information you need to know.
Thanks in advance

Re: [Reverse Engineering] Find data decryption algorithm.

First make sure of what you have
just because the file is not "readable text" does not mean it is encrypted. It could just be a (proprietary) binary format.

If it really is encrypted, then the contents will appear entirely random.
If it's a (proprietary) binary format, then chances are that it will contain 'a lot' of binary 00 values.

Your best chances are asking around on the technical forums of said game. If the author isn't willing to give out the information, or someone else hasn't already done the grunt work, you could be looking at weeks/months of work trying to tie all things together.